OpenBSD Information for VU#464113

TCP/IP implementations handle unusual flag combinations inconsistently

Status

Not Affected

Vendor Statement

The stateful packet filter (pf) that ships with OpenBSD 3.0 and later is not vulnerable to the attacks described.

pf uses real stateful TCP filtering and keeps track of established connections using a state table. It doesn't use any TCP flags to associate a packet with an established connection, instead it uses source and destination addresses and ports to find matching state entries (and verifies sequence numbers against narrow windows).

Filter rules specify which packets create state table entries, and the required TCP flags can be specified freely. It's possible to create state only for plain SYN packets or allow any combination of other TCP flags to do so.

In no case any packet with any combination of TCP flags can bypass the policy defined in the rule set (due to the packet filter wrongly assuming it is part of an established connection), as only explicit rules can create state tables entries.

To prevent SYN+RST packets from creating state, the option 'flags S/SAR' can be used (meaning 'SYN must be set, ACK and RST must not be set'). But even the common 'flags S/SA' will only create state when the remaining rule matches, allowing SYN+RST packets to establish only connections which are already allowed for plain SYNs.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.